back to the future - embedded tech trends · 2019. 2. 5. · uefi class 3 bios (all by 2020)...
TRANSCRIPT
![Page 2: Back to the Future - Embedded Tech Trends · 2019. 2. 5. · UEFI Class 3 BIOS (all by 2020) Improves security But there is no 16-bit legacy BIOS via a Compatibility Support Module](https://reader035.vdocuments.net/reader035/viewer/2022071517/613a8aad0051793c8c0119ca/html5/thumbnails/2.jpg)
ETT 2019Back to the Future?
January 2019 2
Michael J. Fox as Marty McFly on a hoverboard in 2015 in Back To The Future Part II (1989), screen shot, January 1, 2015. (http://youtube.com). URL: https://donaldearlcollins.com/2015/01/01/back-to-my-future-forward-to-the-past/
Legacy
Future
![Page 3: Back to the Future - Embedded Tech Trends · 2019. 2. 5. · UEFI Class 3 BIOS (all by 2020) Improves security But there is no 16-bit legacy BIOS via a Compatibility Support Module](https://reader035.vdocuments.net/reader035/viewer/2022071517/613a8aad0051793c8c0119ca/html5/thumbnails/3.jpg)
VMEbus interfacePMC supportBackwards compatible rear I/OVME32 handles and 3-row P2 connector
ETT 2019An Example – one of our new VME boards
January 2019 3
6-core Intel® Xeon® ProcessorUEFI BIOS onlyNVMe M.2 storageEnhanced Security
Legacy Future
VP B7x/msd
![Page 4: Back to the Future - Embedded Tech Trends · 2019. 2. 5. · UEFI Class 3 BIOS (all by 2020) Improves security But there is no 16-bit legacy BIOS via a Compatibility Support Module](https://reader035.vdocuments.net/reader035/viewer/2022071517/613a8aad0051793c8c0119ca/html5/thumbnails/4.jpg)
January 2019 4
I have to run the same application code we developed x years agoI can’t change the Operating System (or version)I want to retain the option to change supplierI need the latest security features My program runs for another y years
ETT 2019Typical Customer Needs:
Not easy - but that’s what we’re good at
![Page 5: Back to the Future - Embedded Tech Trends · 2019. 2. 5. · UEFI Class 3 BIOS (all by 2020) Improves security But there is no 16-bit legacy BIOS via a Compatibility Support Module](https://reader035.vdocuments.net/reader035/viewer/2022071517/613a8aad0051793c8c0119ca/html5/thumbnails/5.jpg)
January 2019 5
Intel x86 processors are backwards compatible They can run any code developed for older processorsFor security and scalability there are now some restrictions
ETT 2019Intel Procesors
![Page 6: Back to the Future - Embedded Tech Trends · 2019. 2. 5. · UEFI Class 3 BIOS (all by 2020) Improves security But there is no 16-bit legacy BIOS via a Compatibility Support Module](https://reader035.vdocuments.net/reader035/viewer/2022071517/613a8aad0051793c8c0119ca/html5/thumbnails/6.jpg)
Many Intel processors now only support UEFI Class 3 BIOS (all by 2020)
Improves securityBut there is no 16-bit legacy BIOS via a Compatibility Support Module (CSM)
It is not possible to natively boot a legacy Operating System including:Windows 7 Any 32-bit OS like VxWorks 6.x, Linux 32-bit etc
ETT 2019UEFI BIOS
www.uefi.org
January 2019 6
![Page 7: Back to the Future - Embedded Tech Trends · 2019. 2. 5. · UEFI Class 3 BIOS (all by 2020) Improves security But there is no 16-bit legacy BIOS via a Compatibility Support Module](https://reader035.vdocuments.net/reader035/viewer/2022071517/613a8aad0051793c8c0119ca/html5/thumbnails/7.jpg)
Boot using a bare metal or hosted hypervisor Run the legacy OS and application in a Virtual MachineHas an small impact on real time performance
ETT 2019One solution
January 2019 7
Hypervisor
VMLegacy OS & Application
VMware ESXiHyper-VLynx Secure Hypervisor
VxWorks 6.xWindows NTWindows XP
![Page 8: Back to the Future - Embedded Tech Trends · 2019. 2. 5. · UEFI Class 3 BIOS (all by 2020) Improves security But there is no 16-bit legacy BIOS via a Compatibility Support Module](https://reader035.vdocuments.net/reader035/viewer/2022071517/613a8aad0051793c8c0119ca/html5/thumbnails/8.jpg)
Many interfaces support Single Root I/O Virtualization (SR-IOV)One physical device appears as multiple separate physical devicesEach VM has the ability to access the interface
ETT 2019VP B7x/msd Example
January 2019 8
Hypervisor
VM 1Legacy OS & Application
VM 2OS &
Application
GbE with SR-IOV
![Page 9: Back to the Future - Embedded Tech Trends · 2019. 2. 5. · UEFI Class 3 BIOS (all by 2020) Improves security But there is no 16-bit legacy BIOS via a Compatibility Support Module](https://reader035.vdocuments.net/reader035/viewer/2022071517/613a8aad0051793c8c0119ca/html5/thumbnails/9.jpg)
Some devices like the VMEbus interface chip are not SR-IOV capableIt works in Direct Path I/O mode
Limits one Virtual Machine to access the VMEbus interface directly
ETT 2019VP B7x/msd Example
January 2019 9
Hypervisor
VM 1Legacy OS & Application
VM 2OS &
Application
VMEbus
![Page 10: Back to the Future - Embedded Tech Trends · 2019. 2. 5. · UEFI Class 3 BIOS (all by 2020) Improves security But there is no 16-bit legacy BIOS via a Compatibility Support Module](https://reader035.vdocuments.net/reader035/viewer/2022071517/613a8aad0051793c8c0119ca/html5/thumbnails/10.jpg)
ETT 2019Security Timeline
200920021993 2012 2015
User access permissions
IPv6 using IPSec TPM 1.2
Bitlocker, User Account Control,
Defender
UEFISecure Boot TPM 2.0
Device Guard, Credential Guard,
Boot Guard
January 2019 10
![Page 11: Back to the Future - Embedded Tech Trends · 2019. 2. 5. · UEFI Class 3 BIOS (all by 2020) Improves security But there is no 16-bit legacy BIOS via a Compatibility Support Module](https://reader035.vdocuments.net/reader035/viewer/2022071517/613a8aad0051793c8c0119ca/html5/thumbnails/11.jpg)
Each level can be measured The hashes are recorded in a TPM for remote attestationSecure Boot only loads a trusted (signed) operating system bootloader
ETT 2019Trust Levels and Attestation
Application
TPM
January 2019 11
Firmware Operating System
Only measures what’s happening
![Page 12: Back to the Future - Embedded Tech Trends · 2019. 2. 5. · UEFI Class 3 BIOS (all by 2020) Improves security But there is no 16-bit legacy BIOS via a Compatibility Support Module](https://reader035.vdocuments.net/reader035/viewer/2022071517/613a8aad0051793c8c0119ca/html5/thumbnails/12.jpg)
ETT 2019End to end Security is needed
Loaded at our customer’s facility
Secure Application
Loaded at our factory
January 2019 12
Firmware Secure OS
Any break in this chain is a potential risk
![Page 13: Back to the Future - Embedded Tech Trends · 2019. 2. 5. · UEFI Class 3 BIOS (all by 2020) Improves security But there is no 16-bit legacy BIOS via a Compatibility Support Module](https://reader035.vdocuments.net/reader035/viewer/2022071517/613a8aad0051793c8c0119ca/html5/thumbnails/13.jpg)
We now sign our firmware using a private keyDuring the manufacturing process, the board is ‘fused’ to the public keyAny attempt to boot using non-authorized firmware will fail:
Verified and Measured profiles implemented with Immediate Shutdown
Maintenance updates can be done: We provide a new firmware image to the customer signed with the private key
Ensures the firmware has not been tampered with:Between leaving our factory and arriving at a customer’s siteDuring the life-cycle of the product
ETT 2019Intel Boot Guard
January 2019 13
![Page 14: Back to the Future - Embedded Tech Trends · 2019. 2. 5. · UEFI Class 3 BIOS (all by 2020) Improves security But there is no 16-bit legacy BIOS via a Compatibility Support Module](https://reader035.vdocuments.net/reader035/viewer/2022071517/613a8aad0051793c8c0119ca/html5/thumbnails/14.jpg)
Continue the balancing actPart of our moral and ethical duty as COTS suppliers in this space
ETT 2019Conclusion
January 2019 14